From: M. Mohan (mmsundar@yahoo.com)
Date: Fri Apr 13 2007 - 20:05:16 ART
Hi Edward,
Digital Certificate simply verifies that a public key
belongs to a particular entity. That's all. Many other
things happen before real encrypted traffic can flow
between the peers.
Inside peer B's certificate will be peer B's name, IP
address and public key. The important part here is the
corresponding private key of peer B, which is unknown
to peer C, for that matter, unknown to anyone. Once
Peer A verifies the peer B's certificate (that it got
from C) and extracts peer B's public key, it sends a
"pre-master secret" to peer C (thinking that it is
talking to B) by encrypting the pre-master secret with
peer B's public key. Since peer C do not have peer B's
private key, peer C will not be able to decrypt the
"pre-master secret" sent by A and the negotiation will
fail at this point in time.
"Pre-master secret" is used by both the ends to
generate a master secret, a symmetric key, that will
be used for encrypting and decrypting the actual data
by both the ends.
It's important to note that both client and server
authentication involve encrypting some piece of data
with one key of a public-private key pair and
decrypting it with the other key:
In this case, A encrypts the premaster secret with the
B's public key. Only the corresponding private key of
B can correctly decrypt the secret, so A has some
assurance that the identity associated with the public
key is in fact B with which A is connected. Peer C
cannot decrypt the premaster secret and cannot
generate the symmetric keys required for the session,
and the session will be terminated.
For more info:
http://docs.sun.com/source/816-6156-10/contents.htm
Hope that clarifies.
Regards,
Mohan
--- Edward Norton <doubleccie@yahoo.com> wrote:
> Folks ;
> I have spent some time reading and testing the
> point of using digital certificate as a way of
> origin authentication with VPN peers , there is a
> question with bothers my theory understanding which
> is as follows
>
> if peerA wants to check that peerB is actually
> peerB , he would request the digital certificate of
> peerB (which contains peerB Public key and the
> signature of the CA ) ...on peerA there are two
> ceritificates , his own identity certificate and the
> certificate of the CA (which contains the public key
> of the CA and will validate the signature of peerB
> certificate )
>
> all that is ok , now the question is ..since peerB
> sends out his digital certificate to anyone who
> request to authenticate with him..why not someone
> (peerC) gets this certificate ..install it and act
> as if he is peerB ??
>
>
> i am sure i must be missing something here ...can
> someone explain this
>
> thanks
>
>
>
>
>
>
>
>
> ---------------------------------
> Ahhh...imagining that irresistible "new car" smell?
> Check outnew cars at Yahoo! Autos.
>
>
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART